JP7485106B2 - Vehicle, on-board control device, information processing device, vehicle network system, method for providing application program, and program - Google Patents

Description

The present invention relates to a vehicle, an on-board control device, an information processing device, a vehicle network system, a method for providing an application program, and a program.

Patent Document 1 discloses a fraud detection rule update method that updates fraud detection rules that detect fraud in an in-vehicle network system using updated fraud detection rules that are distributed and received from a server outside the vehicle.

JP 2016-134914 A

On the other hand, MaaS (Mobility as a Service)-enabled vehicles are expected to download and run application programs from external servers. For this reason, if the communication environment changes due to the installation of an application program, intrusion detection during communication may malfunction. For this reason, if fraud detection rules distributed unilaterally from a server outside the vehicle are used, as in the in-vehicle network system of Patent Document 1, there is a risk that intrusion detection may malfunction when an application program is installed.

The present invention aims to provide a vehicle, an on-board control device, an information processing device, a vehicle network system, a method for providing an application program, and a program that suppresses false intrusion detection even if the communication environment in the vehicle is changed by installing an application program.

The first aspect is an in-vehicle control device that is mounted on a vehicle and includes a vehicle-side communication unit that communicates with at least an information processing device outside the vehicle, a reception unit that receives from the information processing device a request to install an application program related to a service that uses equipment of the vehicle, a notification unit that notifies the information processing device of a rule that defines whether a communication frame received by the vehicle-side communication unit is invalid or not, and equipment information related to the installation of the equipment in the vehicle, when the reception unit receives the installation request, an acquisition unit that acquires the notified rule and an updated rule based on the equipment information, as well as the application program, from the information processing device, and an update unit that updates the rule to the updated rule when the acquisition unit acquires the updated rule.

The vehicle control device of the first aspect is mounted on a vehicle and enables the installation of an application program provided from an information processing device. The vehicle control device performs intrusion detection in the vehicle-side communication unit based on rules that define whether a communication frame is unauthorized or not. Meanwhile, when the reception unit of the vehicle control device receives a request to install an application program, the notification unit notifies the information processing device of the rules related to the communication frame and equipment information related to optional equipment of the vehicle. In response to this, the information processing device updates the rules based on the notified rules and equipment information. Then, in the vehicle control device, the acquisition unit acquires the updated rules and the application program from the information processing device, and the update unit updates the rules related to the communication frame in conjunction with the installation of the application program.

The vehicle control device of the first aspect notifies the information processing device that is the provider of the application program of rules that affect the communication environment, i.e., rules related to communication frames, and equipment information related to optional equipment of the vehicle. This causes the rules to be updated in accordance with the new communication environment. Therefore, with this vehicle control device, it is possible to suppress erroneous intrusion detection even if the communication environment in the vehicle is changed by installing an application program.

The second aspect is an information processing device that includes an external vehicle communication unit that communicates with a vehicle-side communication unit provided in an on-board control device mounted on a vehicle, a request unit that issues a request to the on-board control device to install an application program related to a service that utilizes equipment of the vehicle, a collection unit that collects from the on-board control device that issued the installation request a rule that defines whether or not a communication frame received by the vehicle-side communication unit is fraudulent and equipment information related to the installation of the equipment in the vehicle, a generation unit that generates the rule updated based on the rule and the equipment information collected by the collection unit, and a provision unit that provides the application program and the updated rule generated by the generation unit to the on-board control device.

In the second aspect of the information processing device, an application program can be provided to an on-board control device mounted on a vehicle. Meanwhile, the on-board control device performs intrusion detection in the vehicle-side communication unit based on rules that define whether a communication frame is unauthorized or not. In the information processing device, a request unit requests the on-board control device to install the application program, and a collection unit collects rules related to the communication frame and equipment information related to optional equipment of the vehicle. Then, in the information processing device, a generation unit generates updated rules based on the collected rules and equipment information, and a provision unit provides the updated rules and the application program to the on-board control device.

The information processing device of the second aspect collects rules that affect the communication environment, i.e., rules related to communication frames and equipment information related to optional equipment of the vehicle, from the vehicle-mounted control device, updates the collected rules in accordance with the new communication environment, and provides them to the vehicle control device. Therefore, with this information processing device, it is possible to suppress erroneous intrusion detection even if the communication environment in the vehicle is changed by installing an application program.

The third aspect is a vehicle network system including the vehicle control device of the first aspect and an information processing device that communicates with the vehicle-side communication unit, and the information processing device includes a request unit that makes the installation request to the vehicle control device, a collection unit that collects the rules and the equipment information from the vehicle control device that made the installation request, a generation unit that generates the rules updated based on the rules and the equipment information collected by the collection unit, and a provision unit that provides the application program and the updated rules generated by the generation unit to the vehicle control device.

In the third aspect of the vehicle network system, an application program can be provided from an information processing device outside the vehicle to an on-board control device mounted on the vehicle. The on-board control device performs intrusion detection in the vehicle-side communication unit based on rules that define whether a communication frame is unauthorized or not. In the information processing device, a request unit requests the on-board control device to install the application program, and in response to the request, a notification unit notifies the rules related to the communication frame and equipment information related to optional equipment of the vehicle. Meanwhile, in the information processing device, a generation unit generates updated rules based on the collected rules and equipment information, and a provision unit provides the updated rules and the application program to the on-board control device. Then, in the on-board control device, an acquisition unit acquires the updated rules and the application program from the information processing device, and an update unit updates the rules related to the communication frame in conjunction with the installation of the application program.

In the third aspect of the vehicle network system, the on-board control device notifies the information processing device, which is the provider of the application program, of rules that affect the communication environment, i.e., rules related to communication frames, and equipment information related to optional equipment of the vehicle. The information processing device also updates the rules to match the new communication environment based on the collected rules and equipment information, and provides the updated rules to the vehicle control device. As described above, with this vehicle network system, it is possible to suppress erroneous intrusion detection even if the communication environment in the vehicle is changed by installing an application program.

The fourth aspect of the vehicle network system is the third aspect of the vehicle network system, in which the on-board control device further includes an execution unit that executes the application program acquired and installed by the acquisition unit, and the execution unit executes the application program after the update unit updates the updated rules.

In the fourth aspect of the vehicle network system, the application program is executed in the vehicle control device after updating the rules. Therefore, according to the vehicle network system, the communication frame that changes as a result of the vehicle control device executing the application program can be determined to be appropriate based on the updated rules.

The fifth aspect is a method for providing an application program, which provides an application program related to a service that utilizes equipment of a vehicle to an on-board control device mounted on a vehicle from an information processing device outside the vehicle, and includes the steps of: making an installation request for the application program from the information processing device to the on-board control device; notifying the information processing device from the on-board control device that has accepted the installation request of a rule that defines whether a communication frame received by a communication unit provided in the on-board control device is invalid and equipment information related to the installation of the equipment in the vehicle; generating the rule that has been updated based on the rule and the equipment information acquired by the information processing device; providing the application program and the updated rule from the information processing device to the on-board control device; installing the application program when the application program is acquired by the on-board control device; updating the rule to the updated rule when the updated rule is acquired by the on-board control device; and executing the application program after updating to the updated rule.

In the method for providing an application program described in the fifth aspect, the vehicle control device notifies the information processing device, which is the provider of the application program, of rules that affect the communication environment, i.e., rules related to communication frames, and equipment information related to optional equipment of the vehicle. The information processing device also updates the rules to match the new communication environment based on the collected rules and equipment information, and provides the updated rules to the vehicle control device. Therefore, according to the method for providing an application program, it is possible to suppress erroneous intrusion detection even if the communication environment in the vehicle changes due to the installation of the application program. Furthermore, since the application program is executed in the vehicle control device after updating the rules, the communication frames that change as a result of the vehicle control device executing the application program can be determined to be appropriate based on the updated rules.

The sixth aspect is a program for an on-board control device mounted on a vehicle and communicating with at least an information processing device outside the vehicle to receive an application program related to a service that utilizes equipment of the vehicle, the program causing a computer to execute a process including the steps of: accepting an installation request for the application program from the information processing device; notifying the information processing device of a rule that defines whether a communication frame received by a communication unit provided in the on-board control device is invalid or not, and equipment information related to the installation of the equipment in the vehicle, when the installation request is accepted; acquiring from the information processing device the notified rule and an updated rule based on the equipment information, as well as the application program; and updating the rule to the updated rule when the updated rule is acquired in the on-board control device.

The program of the sixth aspect is a program that causes a computer to execute each process in an on-board control device. The program executes a process of notifying an information processing device that is the provider of the application program of rules that affect the communication environment, i.e., rules related to communication frames, and equipment information related to optional equipment of the vehicle. This causes the rules to be updated in accordance with the new communication environment. Therefore, according to the program, it is possible to suppress erroneous intrusion detection even if the communication environment in the vehicle is changed by installing an application program.

The seventh aspect is a program for an information processing device outside a vehicle to provide an application program related to a service that utilizes equipment of the vehicle to an on-board control device mounted on the vehicle, and causes a computer to execute processes including the steps of making a request to the on-board control device to install the application program, collecting rules that define whether a communication frame received by a communication unit provided in the on-board control device is fraudulent and equipment information related to the installation of the equipment in the vehicle from the on-board control device that made the installation request, generating the rules updated based on the collected rules and the equipment information, and providing the application program and the updated rules to the on-board control device.

The seventh aspect of the program is a program that causes a computer to execute processing in an information processing device. The program executes processing to collect rules that affect the communication environment from the vehicle control device, i.e., rules related to communication frames and equipment information related to optional equipment of the vehicle, update the collected rules in accordance with the new communication environment, and provide them to the vehicle control device. Therefore, according to the program, it is possible to suppress erroneous intrusion detection even if the communication environment in the vehicle is changed by installing an application program.

According to the present invention, it is possible to suppress false intrusion detection even if the communication environment in the vehicle is changed by installing an application program.

1 is a diagram showing a schematic configuration of a vehicle network system according to a first embodiment; FIG. 2 is a block diagram showing a hardware configuration of an ECU according to the first embodiment. FIG. 2 is a block diagram illustrating an example of a functional configuration of a central GW according to the first embodiment. FIG. 2 is a block diagram showing a hardware configuration of a processing server according to the first embodiment. 2 is a block diagram showing an example of a functional configuration of a processing server according to the first embodiment; FIG. 10 is a sequence diagram showing a process flow until an application program is distributed from a processing server to a central GW in the first embodiment. FIG. 5 is a flowchart showing a flow of a detection learning process according to the first embodiment. FIG. 4 is a sequence diagram showing a process flow for distributing an application program in the first embodiment. FIG. 4 is a diagram showing a configuration of intrusion detection data in the first embodiment. 4 is a flowchart showing a flow of a simulation execution process according to the first embodiment;

[First embodiment]
FIG. 1 is a block diagram showing a schematic configuration of a vehicle network system 10 according to a first embodiment.

(overview)
As shown in FIG. 1, a vehicle network system 10 according to the first embodiment includes a vehicle 12, a processing server 14 serving as an information processing device, a mobile terminal 16, and a vehicle diagnostic device 18.

The vehicle 12 of this embodiment includes multiple ECUs (Electrical Control Units) 20 and a DCM (Data Communication Module) 24. The ECUs 20 include at least a central GW (Central Gateway) 20A, a body ECU 20B, and an engine ECU 20C. The central GW 20A is an example of an on-board control device.

Each ECU 20 and DCM 24 are connected via an external bus (communication bus) 22. The external bus 22 has a first bus 22A that connects the central GW 20A and the DCM 24, and a second bus 22B that connects the central GW 20A, the body ECU 20B, and the engine ECU 20C to each other. Communication is performed in the external bus 22 using the CAN (Controller Area Network) protocol. Note that the communication method of the external bus 22 is not limited to CAN, and CAN-FD (CAN With Flexible Data Rate), Ethernet (registered trademark), etc. may also be applied.

Each ECU 20 is connected to devices 26 required for controlling the vehicle or that constitute the vehicle. Note that the ECUs 20 connected to the central GW 20A via the second bus 22B are not limited to the body ECU 20B and engine ECU 20C, but various other ECUs can be connected, such as a transmission ECU, a meter ECU, a multimedia ECU, and a smart key ECU.

The central GW 20A is also connected to a connector (DLC: Data Link Connector) 28. This connector 28 can be connected to a vehicle diagnostic device 18, which is a diagnostic tool.

In the vehicle network system 10, the DCM 24 of the vehicle 12, the processing server 14, the mobile terminal 16, and the vehicle diagnostic device 18 are interconnected via a network N. The network N is a wireless communication system that uses communication standards such as 5G, LTE, and Wi-Fi (registered trademark).

The mobile terminal 16 is a communication device such as a smartphone or tablet terminal.

(ECU)
2, the ECU 20 includes a central processing unit (CPU) 201, a read only memory (ROM) 202, a random access memory (RAM) 203, a storage 204, a communication interface (I/F) 205, and an input/output interface 206. The CPU 201, the ROM 202, the RAM 203, the storage 204, the communication interface 205, and the input/output interface 206 are connected to each other via an internal bus 207 so as to be able to communicate with each other.

The CPU 201 is a central processing unit that executes various programs and controls each part. That is, the CPU 201 reads the programs from the ROM 202 and executes the programs using the RAM 203 as a working area. In this embodiment, an execution program 220 is stored in the ROM 202.

ROM 202 stores various programs and data. RAM 203 temporarily stores programs or data as a working area.

Storage 204 is configured with a HDD (Hard Disk Drive) or SSD (Solid State Drive) and stores data related to intrusion detection rules and intrusion detection learning parameters described below, as well as intrusion detection data (see FIG. 9). Note that each component of ECU 20, such as ROM 202 and storage 204, is preferably a tamper-resistant medium such as a HSM (Hardware security module).

The communication I/F 205 is an interface for connecting to the DCM 24 and other ECUs 20. This interface uses a communication standard based on the CAN protocol. The communication I/F 205 is connected to the external bus 22. The communication I/F 205 is a communication unit on the vehicle 12 side, and is an example of a vehicle-side communication unit.

The input/output I/F 206 is an interface for communicating with the equipment 26 installed in the vehicle 12.

Figure 3 is a block diagram showing an example of the functional configuration of central GW 20A. As shown in Figure 3, central GW 20A has an application processing unit 250 and an intrusion detection unit 260. Furthermore, application processing unit 250 has a reception unit 252, a notification unit 254, an acquisition unit 256, and an execution unit 258, and intrusion detection unit 260 has a detection learning unit 262 and an update processing unit 264. Each functional configuration is realized by CPU 201 reading and executing execution program 220 stored in ROM 202.

The application processing unit 250 has the function of performing processing related to the installation and execution of the application program 320.

The reception unit 252 has the function of receiving an installation request for the application program 320 from the processing server 14.

The notification unit 254 has a function of notifying the processing server 14 of the intrusion detection learning parameters in which the intrusion detection rules are defined and the equipment information related to the optional equipment of the vehicle 12 when the reception unit 252 receives an installation request. The intrusion detection rules are rules for determining whether the CAN communication frames received by the communication I/F 205 are unauthorized or not. The intrusion detection rules can be defined for the frame ID (hereinafter simply referred to as "ID") for communication arbitration in the CAN protocol, the contents of the data frame, the frame reception period, the reception period error, and the message recognition identifier (MAC), etc. The intrusion detection learning parameters are information that specifies the relationship between individual data frames and the intrusion detection rules to be applied. The intrusion detection learning parameters of this embodiment are an example of the rules of the present invention.

Here, an example of an intrusion detection rule that is applied when a communication frame related to mileage is received is given. When specifying the order of data frames based on ID, an intrusion detection rule can be specified in which, when frame A related to ID1 is received, frame B related to ID3 is next received, and then frame C related to ID4 is received. Also, when specifying an ID range, an intrusion detection rule can be specified in which, for example, a certain communication frame includes only ID1, ID3, and ID4.

Furthermore, when specifying the contents of a data frame, for example, an intrusion detection rule can specify that when a communication frame related to mileage is received, the total mileage of the odometer obtained from the data table increases over time. In this case, if the total mileage decreases over time, the intrusion detection unit 260 determines that the communication frame is fraudulent.

The acquisition unit 256 has a function of acquiring updated intrusion detection learning parameters and the application program 320 from the processing server 14. Here, the updated intrusion detection learning parameters are differential data generated based on the intrusion detection learning parameters and equipment information notified by the notification unit 254.

The execution unit 258 has a function of executing the installed application program 320. In addition, the execution unit 258 is configured to execute the application program 320 after the update processing unit 264, which will be described later, updates the intrusion detection learning parameters.

The intrusion detection unit 260 has the function of detecting unauthorized access to the communication I/F 205 and storing the unauthorized access.

When the detection learning unit 262 receives a communication frame based on the CAN protocol from the communication I/F 205, it has the function of determining whether there has been an intrusion that is an unauthorized access, and if so, storing the access. When the detection learning unit 262 receives a communication frame, it refers to the intrusion detection rules defined in the intrusion detection learning parameters and executes the detection learning process described below. In addition, the detection learning unit 262 has the function of updating the intrusion detection learning parameters.

The update processing unit 264, which serves as an update unit, has the function of updating the intrusion detection learning parameters before the application program 320 is installed to the updated intrusion detection learning parameters when the acquisition unit 256 acquires updated intrusion detection learning parameters.

(Processing Server)
FIG. 4 is a block diagram showing the hardware configuration of devices installed in the processing server 14 of this embodiment.

The processing server 14 is configured to include a CPU 141, a ROM 142, a RAM 143, a storage 144, and a communication I/F 145. The CPU 141, the ROM 142, the RAM 143, the storage 144, and the communication I/F 145 are connected to each other so as to be able to communicate with each other via an internal bus 147. The functions of the CPU 141, the ROM 142, the RAM 143, and the storage 144 are the same as those of the CPU 201, the ROM 202, the RAM 203, and the storage 204 of the ECU 20 described above.

In this embodiment, the storage 144 stores a processing program 300, a simulation program 310, and an application program 320. The simulation program 310 is a program for performing the simulation execution process described below. The application program 320 is a program that is installed in the central GW 20A and executed.

The communication I/F 145 is an interface for connecting to the network N, and uses communication standards such as 5G, LTE, and Wi-Fi (registered trademark). The communication I/F 145 is a communication unit on the processing server 14 side, and is an example of an external vehicle communication unit.

In this embodiment, the CPU 141 reads the processing program 300 from the ROM 142 and executes the processing program 300 using the RAM 143 as a working area. When the CPU 141 executes the processing program 300, the processing server 14 functions as the application management unit 350 and the communication simulation unit 360 shown in FIG. 5.

Figure 5 is a block diagram showing an example of the functional configuration of the processing server 14. As shown in Figure 5, the processing server 14 has an application management unit 350 and a communication simulation unit 360. The application management unit 350 has a request unit 352, a collection unit 354, and a provision unit 356, and the communication simulation unit 360 has a simulation execution unit 362 and a generation unit 364.

The application management unit 350 has a function of managing the application program 320 to be installed in the central GW 20A. The application management unit 350 also has a function of sending and receiving information between the central GW 20A of the vehicle 12.

The request unit 352 has a function of making an installation request for the application program 320 to the central GW 20A. The request unit 352 makes the installation request when the installation is approved by the mobile terminal 16 held by the user.

The collection unit 354 has the function of collecting the intrusion detection learning parameters in the central GW 20A and the equipment information related to the optional equipment of the vehicle 12 from the central GW 20A that has made the installation request.

The providing unit 356 has the function of providing the updated intrusion detection learning parameters generated by the application program 320 and the generating unit 364 described below to the central GW 20A.

The communication simulation unit 360 has the function of performing a simulation that simulates the communication environment in the vehicle 12.

The simulation execution unit 362 has a function of performing the simulation execution process described below. In the simulation execution process, the simulation execution unit 362 executes the simulation program 310 using the intrusion detection learning parameters and equipment information collected by the collection unit 354.

The generation unit 364 has the function of generating updated intrusion detection learning parameters as the simulation execution process is performed.

(Flow of Control)
In this embodiment, an example of the flow of processing until the application program 320 is installed will be described with reference to the sequence diagrams of FIGS.

In step S10 of FIG. 6, the CPU 201 of the central GW 20A executes a detection learning process as a function of the intrusion detection unit 260. That is, the CPU 201 monitors whether there is any unauthorized access to the communication I/F 205. The detection learning process will be described in detail later.

In step S11, the CPU 141 of the processing server 14 executes the registration of the application program 320 as a function of the application management unit 350. That is, the application program 320 to be installed in the central GW 20A is stored in advance in the storage 144.

In step S12, a user who wishes to use a service in the vehicle 12 consents to the installation of an application program 320 related to the service through the mobile terminal 16 carried by the user. For example, the user operates the touch panel of the mobile terminal 16 to consent to the installation of the application program 320 in the central GW 20A. This causes the mobile terminal 16 to send a command related to the consent to the installation to the application management unit 350 of the processing server 14. Note that the user's consent to the installation of the application program 320 is not limited to a method using the mobile terminal 16, but may also be given via a car navigation device or vehicle diagnostic device 18 mounted on the vehicle 12.

In step S13, the CPU 141, as a function of the application management unit 350 in the processing server 14, transmits an installation confirmation command to the application processing unit 250 of the central GW 20A. The installation confirmation command is transmitted from the processing server 14 to the central GW 20A via the DCM 24.

In step S14, the CPU 201 of the central GW 20A, as a function of the application processing unit 250, executes a judgment as to whether installation is possible. In this judgment, the CPU 201 checks the free space of the ROM 202, which is the installation destination of the application program 320, etc.

In step S15, the CPU 201 of the central GW 20A, as a function of the application processing unit 250, notifies the result of the judgment on whether or not the installation is possible. The result notification is sent from the central GW 20A to the processing server 14 via the DCM 24.

Next, the flow of the detection learning process in step S10 will be explained using the flowchart in Figure 7.

In step S100 of FIG. 7, the CPU 201 receives a communication frame. For example, the CPU 201 receives a communication frame transmitted from a server of the manufacturer of the vehicle 12, the communication frame including data related to the use or improvement of optional equipment of the vehicle 12.

In step S101, the CPU 201 determines whether the received communication frame is a communication frame that is a target for intrusion detection. If the CPU 201 determines that the received communication frame is a target for intrusion detection, the process proceeds to step S102. On the other hand, if the CPU 201 determines that the received communication frame is not a target for intrusion detection, the process proceeds to step S105.

In step S102, the CPU 201 checks whether or not there has been an unauthorized intrusion. Specifically, the CPU 201 checks whether or not there has been an unauthorized intrusion by referring to the intrusion detection rules defined by the intrusion detection learning parameters. If there is a communication frame that deviates from the intrusion detection rules, the CPU 201 determines that the communication frame is an unauthorized communication frame, and determines that an unauthorized intrusion has occurred.

In step S103, the CPU 201 determines whether or not an unauthorized intrusion has occurred. If the CPU 201 determines that an unauthorized intrusion has occurred, the process proceeds to step S104. On the other hand, if the CPU 201 determines that an unauthorized intrusion has not occurred, the process proceeds to step S105.

In step S104, the CPU 201 executes an intrusion countermeasure process. In the intrusion countermeasure process, the unauthorized communication frame is stored as intrusion detection data (see FIG. 9), the processing server 14 is notified of the unauthorized intrusion, and the unauthorized communication frame is isolated from the intrusion detection unit 260.

In step S105, the CPU 201 learns the communication environment based on the received communication frame. For example, if the communication environment in network N has changed, information related to the new communication environment is acquired. Also, if there is a change in an element not defined in the intrusion detection learning parameters, for example, if the reception cycle of a data table is set as the intrusion detection rule and a data table unrelated to the reception cycle is added (for example, if a data table related to date/time information or location information not previously present in the communication frame is added), the changed information is acquired and learned.

In step S106, the CPU 201 updates the intrusion detection learning parameters based on the learned information. At this time, the updated intrusion detection learning parameters are stored in the secure storage 204. Then, the detection learning process ends.

Next, the process flow for distributing application program 320 when the result of the determination in step S14 indicates that application program 320 can be installed will be described with reference to the sequence diagram in FIG. 8.

When installing an application program 320 that affects communications, the following process is performed.

In step S20, as a function of the application management unit 350 in the processing server 14, the CPU 141 makes a request for intrusion detection data to the central GW 20A. The request for intrusion detection data corresponds to a request to install the application program 320. Information related to the request for intrusion detection data is sent to the intrusion detection unit 260 via the DCM 24 and the application processing unit 250.

In step S21, in central GW20A, as a function of intrusion detection unit 260, CPU201 performs an intrusion detection data acquisition process. That is, CPU201 acquires intrusion detection data from secure storage 204. As shown in FIG. 9, the intrusion detection data is a table that includes data related to intrusion detection learning parameters.

In step S22, in the central GW 20A, the CPU 201, as a function of the intrusion detection unit 260, provides intrusion detection data to the processing server 14. The intrusion detection data is sent to the processing server 14 via the application processing unit 250 and the DCM 24.

In step S23, in the processing server 14, as a function of the application management unit 350, the CPU 141 makes a simulation execution request to the communication simulation unit 360.

In step S24, the CPU 141 of the processing server 14 executes a simulation execution process as a function of the communication simulation unit 360. The simulation execution process generates difference data, which is an updated intrusion detection learning parameter. Details of the simulation execution process will be described later.

In step S25, as a function of the communication simulation unit 360 in the processing server 14, the CPU 141 notifies the application management unit 350 of the updated intrusion detection learning parameters.

In step S26, as a function of the application management unit 350 in the processing server 14, the CPU 141 provides the application program 320 and the updated intrusion detection learning parameters to the central GW 20A. The application program 320 and the updated intrusion detection learning parameters are sent to the central GW 20A via the DCM 24. These may be sent as a single package or as separate data.

In step S27, in the central GW20A, the CPU201 executes the installation of the application program 320 as a function of the application processing unit 250.

In step S28, as a function of the application processing unit 250 in the central GW 20A, the CPU 201 notifies the body ECU 20B to turn on the functions related to the application program 320. The example in FIG. 8 is an example in which the application program 320 provides a service using the body ECU 20B and the devices 26 connected thereto, and depending on the content of the service, the functions of other ECUs 20 are turned on.

In step S29, in the body ECU 20B, the CPU 201 notifies the central GW 20A of the result of the function operation. Note that steps S28 and S29 are processes for checking the operation of the body ECU 20B before executing the application program 320, and are not necessarily required processes. For example, if the CPU 201 executes only step S28 to turn on the function of the body ECU 20B, it is not necessarily necessary to execute step S29 and receive the result notification. Also, for example, when executing the application program 320 in step S35 described below, the processes related to steps S28 and S29 may be executed first.

In step S30, in the central GW 20A, as a function of the application processing unit 250, the CPU 201 checks the installation status of the application program 320.

If it is confirmed in step S30 that the application program 320 has been installed correctly, proceed to the following steps.

In step S31, in central GW20A, as a function of the application processing unit 250, the CPU 201 provides the updated intrusion detection learning parameters to the intrusion detection unit 260.

In step S32, in central GW20A, CPU201 executes an update process as a function of intrusion detection unit 260. In the update process, the difference data contained in the updated intrusion detection learning parameters is applied to the existing intrusion detection learning parameters stored in storage 204 to update them. The updated intrusion detection learning parameters are stored in storage 204.

In step S33, in central GW20A, as a function of the intrusion detection unit 260, the CPU 201 notifies the application processing unit 250 of the update results of the intrusion detection learning parameters.

In step S34, in the central GW20A, as a function of the application processing unit 250, the CPU 201 notifies the installation status of the application program 320 and the update results of the intrusion detection learning parameters.

In step S35, the central GW 20A executes the application program 320 as a function of the application processing unit 250 (execution unit 258) by the CPU 201. Specifically, the CPU 201 requests the necessary information from the body ECU 20B whose function was turned ON in step S28, and receives information from the body ECU 20B. For example, in the case of the application program 320 that acquires the mileage of the vehicle 12, the CPU 201 requests the mileage information from the body ECU 20B, and acquires the mileage information from the body ECU 20B.

Next, the flow of the simulation execution process in step S24 will be explained using the flowchart in Figure 10.

In step S200 of FIG. 10, the CPU 141 starts the simulator by executing the simulation program 310, and inputs the intrusion detection data collected from the central GW 20A into the communication environment of the simulator. This inputs the intrusion detection learning parameters and the intrusion detection rules defined therein.

In step S201, the CPU 141 inputs the application program 320 to be installed into the simulator.

In step S202, the CPU 141 executes a simulator. The simulator executes a simulation of not only the communication status by the application program 320 but also the behavior of the ECU 20 (such as the operation of the devices 26). The simulator continues to execute until the intrusion detection learning parameters included in the intrusion detection data have been sufficiently learned.

In step S202, the CPU 141 generates updated intrusion detection learning parameters. The updated intrusion detection learning parameters do not need to include all of the defined rules, and in this embodiment, are generated as differential data. Then, the simulation execution process ends.

(Summary of the first embodiment)
The vehicular network system 10 of this embodiment is applied when a user who wishes to use a service in the vehicle 12 installs an application program 320 related to the service in the central GW 20A mounted in the vehicle 12. For example, assume that an insurance company provides a service that finely sets insurance rates according to mileage. In this case, the user permits the central GW 20A to install the application program 320 for acquiring mileage so that the insurance company can periodically acquire mileage from the vehicle 12.

When application program 320 is installed and executed in central GW 20A, central GW 20A becomes able to receive communication frames related to mileage, for example, from body ECU 20B. Here, the installation of application program 320 causes a change in the communication environment in central GW 20A, as it now receives communication frames related to mileage. Therefore, unless the intrusion detection rules defined in the intrusion detection learning parameters are updated so that communication frames related to mileage are permitted, the communication frames will be detected as unauthorized communication frames.

If the processing server 14 provides an intrusion detection rule that allows new communication frames to be transmitted, unauthorized detection can be avoided. However, because the presence or absence of optional equipment varies from vehicle to vehicle, the communication frames transmitted are not uniform, and the intrusion detection learning parameters are vehicle-specific. Considering the number of vehicles sold, storing all combinations of intrusion detection learning parameters would require enormous resources in the storage 144 of the processing server 14.

Therefore, in this embodiment, the application program 320 is configured to execute the following process when it is installed. The central GW 20A notifies the processing server 14, which is the provider of the application program 320, of the intrusion detection learning parameters for the communication frame and the equipment information related to the optional equipment of the vehicle 12. Meanwhile, the processing server 14 generates intrusion detection learning parameters adapted to the new communication environment based on the collected intrusion detection learning parameters and equipment information, and provides them to the central GW 20A.

As described above, according to this embodiment, even if the communication environment in the vehicle 12 is changed due to the installation of the application program 320, it is possible to suppress erroneous intrusion detection. Furthermore, because updated intrusion detection learning parameters are generated based on the intrusion detection learning parameters and equipment information collected from the central GW 20A, an increase in resources in the storage 144 of the processing server 14 is suppressed. In other words, an increase in costs can be suppressed.

In addition, in the central GW 20A of this embodiment, the application program 320 is executed after updating the intrusion detection learning parameters, so that the communication frame that changes as a result of the central GW 20A executing the application program 320 can be determined to be appropriate based on the updated intrusion detection learning parameters.

In addition, in this embodiment, the updated intrusion detection learning parameters are generated as differential data. In other words, it is not necessary to include all intrusion detection rules; it is sufficient to prepare the intrusion detection rules that have been added, deleted, or changed. This reduces the amount of communication between the processing server 14 and the central GW 20A, and the central GW 20A can quickly complete the update process (see step S32).

Second Embodiment
In the first embodiment, the processing server 14 and the central GW 20A communicate with each other through the DCM 24. In contrast, in the second embodiment, the processing server 14 and the central GW 20A can communicate with each other through the vehicle diagnostic device 18 connected to the central GW 20A.

This embodiment can achieve the same effects as the first embodiment.

[remarks]
In each of the above embodiments, a simulation is performed by a mock execution process when installing the application program 320. However, this is not limited to this. For example, when installing an application program 320 related to a previously installed application program, if the post-installation effects of changes in the communication environment, etc., are known, the mock execution process may be omitted.

In addition, the application program 320 in each embodiment is installed and executed in the central GW 20A, but this is not limited thereto, and it may be configured to be installed and executed in another ECU 20. For example, the application program 320 may be installed in the body ECU 20B. In this case, the application program 320 is executed in the body ECU 20B by receiving an execution instruction from the execution unit 258 of the central GW 20A.

In addition, in the central GW 20A of each embodiment, the functions of the application processing unit 250 and the functions of the intrusion detection unit 260 are realized by the same CPU 201, but this is not limited to this and each function may be realized by a separate CPU. In addition, in the processing server 14 of each embodiment, the functions of the application management unit 350 and the functions of the communication simulation unit 360 are realized by the same CPU 141, but this is not limited to this and each function may be realized by a separate CPU.

In the above embodiment, the processes executed by the CPU 201 after reading the software (programs) and the processes executed by the CPU 141 after reading the software (programs) may be executed by various processors other than the CPU. Examples of the processor in this case include a PLD (Programmable Logic Device) whose circuit configuration can be changed after manufacture, such as an FPGA (Field-Programmable Gate Array), and a dedicated electric circuit that is a processor having a circuit configuration designed specifically to execute a specific process, such as an ASIC (Application Specific Integrated Circuit). Each process may be executed by one of these various processors, or by a combination of two or more processors of the same or different types (for example, multiple FPGAs, a combination of a CPU and an FPGA, etc.). More specifically, the hardware structure of these various processors is an electrical circuit that combines circuit elements such as semiconductor devices.

In the above embodiment, the programs are described as being pre-stored (installed) in a non-transitory computer-readable recording medium. For example, in the central GW 20A of the vehicle 12, the execution program 220 is pre-stored in the ROM 202. In the processing server 14, the processing program 300 is pre-stored in the storage 144. However, this is not limiting, and each program may be provided in a form recorded on a non-transitory recording medium such as a CD-ROM (Compact Disc Read Only Memory), a DVD-ROM (Digital Versatile Disc Read Only Memory), or a USB (Universal Serial Bus) memory. Each program may also be downloaded from an external device via a network.

The process flow described in the above embodiment is also one example, and unnecessary steps may be deleted, new steps may be added, or the process order may be rearranged, without departing from the spirit of the invention.

10 Vehicle network system 12 Vehicle 14 Processing server (information processing device)
20 ECU
20A Central GW (on-board control device)
145 Communication I/F (external vehicle communication unit)
205 Communication I/F (communication unit, vehicle side communication unit)
220 Execution program (program)
252 Reception unit 254 Notification unit 256 Acquisition unit 258 Execution unit 264 Update processing unit (update unit)
300 Processing program (program)
320 Application program 352 Request unit 354 Collection unit 356 Provision unit 364 Generation unit

Claims (12)

A vehicle,
A communication unit that communicates with an information processing device outside the vehicle;
A notification unit that notifies the information processing device of equipment information related to equipment of the vehicle via the communication unit;
an acquisition unit that acquires from the information processing device a rule used for determining whether a communication frame communicated in the vehicle is fraudulent, the rule being updated based on the notified equipment information; and
an update unit that updates the rule to the updated rule when updating an application program related to a service that utilizes equipment of the vehicle;
A vehicle equipped with. a notification unit that notifies an information processing device outside the vehicle of equipment information related to equipment of the vehicle via a vehicle-side communication unit;
an acquisition unit that acquires from the information processing device a rule used for determining whether a communication frame communicated by the vehicle-side communication unit is fraudulent, the rule being updated based on the notified equipment information; and
an update unit that updates the rule to the updated rule when updating an application program related to a service that utilizes equipment of the vehicle;
An on-board control device comprising: a generation unit that generates rules used to determine whether a communication frame communicated by an external communication unit that communicates with a vehicle-side communication unit provided in an on-board control device mounted on a vehicle is fraudulent, the rules being updated based on equipment information related to the equipment of the vehicle collected from the on-board control device;
a provision unit that provides the generated updated rule to the in-vehicle control device when updating an application program related to a service that utilizes equipment of the vehicle;
An information processing device comprising: The acquisition unit acquires difference data of the rule from the information processing device,
The vehicle according to claim 1 , wherein the update unit updates the rule by using the difference data when updating an application program related to a service that utilizes equipment of the vehicle. 2. The vehicle according to claim 1, wherein the update unit, after installing an application program related to a service utilizing equipment of the vehicle, executes switching to the updated rule obtained from the information processing device, and then the application program is executed. a processing unit that determines whether installation of an application program related to a service utilizing equipment of the vehicle has been completed normally;
2. The vehicle according to claim 1, wherein when it is determined that installation of an application program related to a service utilizing equipment of the vehicle has been completed successfully, the update unit switches to the updated rule obtained from the information processing device, and then the application program is executed. The vehicle according to claim 1 , wherein the notification unit notifies the information processing device that switching to the updated rule has been completed. A vehicle network system including the on-board control device of claim 2 and an information processing device that communicates with the vehicle-side communication unit,
The information processing device includes:
A generation unit that generates updated rules based on the equipment information collected from the on-board control device;
a providing unit that provides the generated updated rule to the in-vehicle control device when updating the application program;
A vehicle network system comprising: The in-vehicle control device includes:
An execution unit that executes the application program,
The execution unit is
The vehicle network system according to claim 8 , wherein the update unit executes the updated application program after updating the updated rule. A method for providing an application program relating to a service utilizing equipment of a vehicle from an information processing device outside the vehicle to an on-board control device mounted in the vehicle, the method comprising:
notifying the information processing device of equipment information related to the equipment from the on-board control device;
generating a rule used for determining whether a communication frame communicated in a communication unit provided in the on-board control device is fraudulent, the rule being updated based on the equipment information acquired in the information processing device;
providing the updated rule from the information processing device to the in-vehicle control device when updating the application program;
When the updated rule is acquired in the on-board control device, updating the rule to the updated rule;
executing the updated application program after updates to the updated rules have been made;
A method for providing an application program comprising: A program for an in-vehicle control device that is mounted on a vehicle and communicates with at least an information processing device outside the vehicle to receive an application program related to a service that utilizes equipment of the vehicle,
notifying the information processing device of equipment information related to the equipment via a communication unit;
acquiring, from the information processing device, a rule used for determining whether or not a communication frame communicated in the communication unit is fraudulent, the rule being updated based on the notified equipment information;
A program for causing a computer to execute a process of updating the rule to the updated rule when the application program is updated. A program for an information processing device outside a vehicle to provide an application program related to a service using equipment of the vehicle to an on-board control device mounted on the vehicle,
generating a rule used for determining whether a communication frame communicated in a communication unit of the vehicle is fraudulent, the rule being updated based on equipment information related to equipment of the vehicle collected from the on-board control device;
providing the generated updated rule to the in-vehicle control device when updating the application program.